Operation Lotus Blossom

Transcription

OPERATION
LOTUSBLOSSOM
R E P O R T B Y – R O B E R T FA L C O N E , J O S H G R U N Z W E I G ,
J E N M I L L E R - O S B O R N , R YA N O L S O N
PALO ALTO NETWORKS | 4401 Great America Parkway | Santa Clara, CA 95054
www.paloaltonetworks.com
TABLE OF CONTENTS
Introduction 3
Operation Details 3
Vietnam
4
Philippines 10
Taiwan and Hong Kong 11
Indonesia 12
Elise Backdoor Analysis 12
Variant A 13
Variant B 17
Variant C 20
Previous Research 23
Conclusion 24
Appendix 25
Elise Sample Details 25
Elise Executable SHA256 values 33
Elise Delivery Document SHA256 values 34
Elise Command and Control Servers 35
Introduction
Operation Lotus Blossom describes a persistent cyber espionage campaign against
government and military organizations in Southeast Asia, stretching back over three
years. Nations we have identified as targeted in this campaign include Hong Kong,
Taiwan, Vietnam, the Philippines and Indonesia. The Lotus Blossom group deploys a
backdoor Trojan, named Elise, after the sports car made by Group Lotus PLC of the
United Kingdom.
The group relies on spear phishing attacks to infect its users, often using a malicious
office document and decoy file containing content relevant to the target’s occupation or
interests. The spear phishing attachment typically includes exploit code for a well-known
Microsoft® Office® vulnerability, CVE-2012-0158, which is used to install the Trojan
on the system and then display the decoy file, tricking the user into thinking the file
opened correctly. Example decoy files include:
•A spreadsheet listing high-level officers in the Philippine Navy, along with their
dates of birth and mobile phone numbers.
•The operational humanitarian and disaster response (HADR) plan for the
Armed Forces of the Philippines, stamped “Secret.”
•An invitation to the screening of a film at the Norwegian embassy.
While we have not identified specific individuals responsible for these attacks, the
evidence suggests a nation state with a strong interest in Southeast Asia. Elise
is a custom backdoor Trojan, not readily available online. The tool appears to be
used exclusively by Lotus Blossom and was likely developed specifically for their
operations. The targets attacked by this group are almost exclusively military and
government organizations, whose data is most valuable to other nation states, rather
than criminal actors. The fact that this campaign has been ongoing for over three
years indicates the individuals behind the attack are well-resourced.
Using the Palo Alto Networks® AutoFocus™ platform, which enables analysts to
correlate the results of the hundreds of millions of reports generated by the WildFire™
service, Unit 42 has linked over 50 individual attacks to this campaign.
The Operational Details section of this report provides details on specific attacks
against the targeted governments. The Elise Backdoor Analysis section contains
descriptions of how the three different variants of Elise operate and how they
changed over time. Domain names and IP addresses used for command and control,
as well as hashes of the files used in the attacks are included in the appendix.
Operation Details
Operation Lotus Blossom repeatedly targeted several Southeast Asian countries’
militaries and government agencies, beginning in 2012 and continuing through 2015. The
bulk of the activity discussed in this paper involves heavy targeting against both Vietnam
and the Philippines during 2013 and 2014.
PA L O A LT O N E T W O R K S
+
3
All of the attacks use the custom backdoor
Trojan named Elise, which gives the Lotus
Blossom group their initial foothold in a
network. From there, they can install additional
tools, move laterally, and exfiltrate data from
the network. Elise is described in more detail
later in this report.
The operation relies heavily on spear
phishing as the initial attack vector, with
enticing subject lines and legitimate-looking
decoy documents meant to trick users into
believing they are opening a legitimate file,
as opposed to malware. A popular theme for
the decoy documents was personnel rosters,
largely claiming to be for specific military or
government offices. Another theme was the
use of attractive pictures of Asian women that
were sourced from the Internet. Some of the
information contained in the decoys could be
found on the Internet; however, it is worth
noting none of the military or government
themed decoys could be found.
Vietnam
Hong Kong
& Taiwan
Indonesia
Philippines
In particular, the decoys used against the
Philippines were exclusively military and
FIGURE 1 + Elise backdoor samples and C2 infrastructure
government themed, with the bulk purporting
in distinct but overlapping groups.
to be related to the Navy. As we were unable
to find any of the decoys online, and they
purport to contain sensitive information, we have not included images of them, in case
the information is legitimate. One document is even stamped “Secret.”
While all of the Lotus Blossom attacks appear to be the work of a single group, the
infrastructure used to target each nation is largely separate (Figure 1). Each Trojan binary
in this diagram is connected to command and control (C2) IP addresses and domains
that are defined in the Trojan’s configuration file. Additionally, the domains are connected
to email addresses used to register them, as well as IP addresses they resolve to at the
time of the attack. These links create a visual map of the attacks, which shows that, while
the infrastructure is not identical in each attack, they are all connected. In the following
sections, we will take a closer look at the attacks on each nation.
Vietnam
The Lotus Blossom campaign against the Vietnamese government was the most
persistent and consisted of 11 waves of spear phishing, primarily during November
2014. There were a total of eight droppers — one Microsoft Excel® document and five
Microsoft Word® documents. All included a decoy document intended to trick users
into believing they had opened a legitimate file rather than malware, and the content
of each was different.
+
4
The attacks on Vietnam break into two distinct groups. All but three samples used
overlapping C2 infrastructure (Figure 2), including two domains registered by
“[email protected],” which was also used registered C2 domains used in attacks
against other Southeast Asian countries. This group of attacks used the following
campaign codes to identify their infections, many of which include the string “Alice,”
which may have a significance we have not yet identified.
•Alice_erpas
•Alice_rosey
•Alice_15A
•Alice_Spider
•Alice_vishipel
•jessica-cpt-app
•oyf
•ooo
FIGURE 2 + Elise samples and infrastructure used to target the Vietnamese government.
+
5
The second group of attacks (Figure 3) used a different registrant not seen elsewhere in
this activity, but overlap with targeting, campaign code structure, and one C2 IP address.
While the other domains maintained the information they were originally registered
with, one domain used here was registered by ‘[email protected]’ and then updated to
‘[email protected]’. The initial registrant also registered other domains
detailed in this paper, targeting other Southeast Asian countries prior to their updating,
indicating this may be a reseller favored by particular APT group(s). It could also be a
simple matter of actor preference, but we cannot say for sure one way or the other. The
other domain used a registrar that does not show any registration information. The three
campaign codes used with these samples are below.
•QY030610
•KITY01232
•KITY090901
FIGURE 3 + Diagram of second group of Vietnam attacks.
Most of the attachments used in this campaign had a technical theme, shown in figures two
through four. Additionally, all were written in Vietnamese. We are not including an image of
one sample, as it claims to be a certification test for a particular type of VSAT terminals. It is
unknown how the actors obtained a test for this course, assuming the questions are legitimate.
FIGURE 4 + Instructions on how to install and use LogFusion, a legitimate tool used to parse log files.
+
6
FIGURE 5 + The agenda for Vietnam’s Ministry of Information and Communication
workshop with Vibrand, which was held on 4 December 2014. The purpose of the
workshop was promoting the development of products and IT services in Vietnam.
FIGURE 6 + Excel spreadsheet titled “VPTW Transfer Network Phase 2” and lists a
number of provinces in Vietnam as well as Taiyuan in China.
+
7
The final four sample decoy documents had very different themes. One was an
invitation to an event at the Norwegian Embassy in Vietnam commemorating the
anniversary of the Kon-Tiki voyage (Figure 7). Of note, the date of the invitation is
incorrect — the actual event took place 11 and 12 December 2014. The requested
email address accepting RSVPs also seems just slightly suspicious, and they helpfully
instructed the recipients to forward the invitation, if they were unable to attend. Two
of the decoys contained one or more images of attractive Asian women taken from
the Internet, one of which (shown in Figure 8) was used multiple times. The final
decoy contained a Merry Christmas image with broken English text.
FIGURE 7 +
Fake invitation
to an event
commemorating
the Kon-Tiki
voyage.
FIGURE 8 + Photo of Hoàng Thùy Linh,
a Vietnamese actress and singer.
FIGURE 9 + A Merry Christmas image
with broken English text.
+
8
The second group of attacks also used decoy documents written in Vietnamese. One
document purported to be a contact roster and contains the names and Vietnamese
webmail email addresses for multiple high-level Vietnamese officials. The first page of
the second decoy is shown below (Figure 10) and claims to be an IT upgrade plan for
2015 for the Vietnamese government. The final sample also appears to be related to
an IT upgrade plan, with implementation dates and responsible individuals (Figure 11.)
FIGURE 10 + Claims to be an IT upgrade plan for 2015 for the Vietnamese government.
FIGURE 11 + Also appears to be related to an IT upgrade plan, with implementation dates and
responsible individuals.
+
9
Philippines
The Lotus Blossom operation has
targeted the Philippine government,
with a particular focus on the
military, since at least 2013. We
identified six unique Elise droppers,
each with its own decoy document
and content. These samples all
had overlapping command and
control infrastructure (Figure 12).
All six decoy documents were
related to the Philippine military
or government, primarily claiming
to contain contact information for
high-level officers and officials.
We are not including images, as
it is possible the information is
legitimate, but the subject lines
with brief descriptions are included
in Table 1 below.
FIGURE 12 +
Connections between
Elise samples and C2
servers used in attacks
on the Philippines.
Decoy Name
Decoy Description
DFA GAD Directory
Claims to be a directory of personnel in the Philippine Department of Foreign
Affairs Gender and Development, including private emails and cellphones.
HADR PLAN 29 May 14
Claims to be the operational humanitarian and disaster response (HADR) plan for
the Armed Forces of the Philippines and is stamped “Secret.”
C,1AD NR 03-0226-313-14 Claims to document a problem logging into an account for a specific real-time
aircraft tracking system and appears to be a Philippine Air Force document.
RQST MOUTPIECE
LOUD HAILER
Claims to be a requisition form for a mouthpiece for a specific hailer for a specific
unit.
PN KEYPOSITION with
CELL Nrs
Claims to be a roster of high-level officers at the Philippine Naval Headquarters
and is dated 23 June 2014. It has birth dates and cellphone number as well as
current job roles.
Cellphone Number
Claims to be a roster of high-level officers at the Philippine Naval Headquarters
and is dated February 2015. It contains job roles as well as cellphone numbers.
Table 1 + Names and descriptions of decoy documents included in attacks on the Philippine government and military.
+
10
In contrast to the Vietnamese targeting, this activity involves a mix of actor-registered
and dynamic DNS (DDNS) domains use for C2. However, the actor-registered domain
also used the same initial registrant, ‘[email protected],’ as the final two Vietnamese
samples discussed above, and most campaign codes also appear to end with a date.
Also of note, all but two of these samples used campaign codes that started with
‘340‘. The text within three of the campaign codes refers to the decoy contents. The
campaign codes we saw with the Philippines’ activity are below.
•340_typhoon
•340-0226
•340-dfa-520
•340-0528
•phone
•key0730
Taiwan and Hong Kong
We uncovered three droppers that targeted Taiwan and one
that targeted Hong Kong. One of these claimed to be a
current staff contact list, but when opened, did not contain
any information. As this is the only roster-themed decoy
that did not contain any information, it may indicate this
was a mistake on the threat actor’s part. We were unable to
recover decoy documents for the other two.
The sample targeting Hong Kong contains earthquake
safety information in long form Chinese, copied from
the Internet and widely circulated in multiple languages,
since at least 2009. It has its own entry on Snopes.com
evaluating the accuracy of the information i. This sample is
also an outlier, in that it targeted a science and technology
university, in contrast to most of the other targeting that had
a government or military focus.
This activity shows the clearest striation (Figure 13), with the
cluster on the left using the first two campaign codes below.
• 310-pyq
• mm-0807
FIGURE 13 + Connections between Elise samples and
C2 servers used in attacks on Taiwan and Hong Kong.
• cyd-zc
It is possible this represents two sub-groups targeting Taiwan and Hong Kong with
the same malware over the same period of time. Interestingly, the cluster in the
upper left uses some infrastructure used in the Vietnamese activity, as well as a
registrant seen in the Philippines’ activity.
+
11
Indonesia
We identified one Elise dropper carrying a decoy
document written in Indonesian that contains
information about health foods to avoid the flu, including
a picture of a sweet potato. It appears to have been
copied directly from the Internet. The campaign code
used in this attack was “36-SC-0115,” as well as the
following C2 servers.
•122.10.89.84
•beckhammer.xicp.net
The campaign code and C2s are shown below, and
the C2 matches up with one of the Philippine-targeted
samples in the previously discussed activity. In addition,
the campaign code format and numbers at the end of
the campaign code appear to be a date, which is also
similar to the Philippines’ activity.
FIGURE 14 + Decoy document written in Indonesian,
which describes foods that help fend off the flu.
Elise Backdoor Analysis
Over the course of our research, Unit 42 has identified over 50 samples belonging to
the Elise malware family. Through analysis of these files, we have grouped them into
three distinct variants. Compile timestamps for these samples ranged from June 2012 to
March 2015. The naming of the three Elise malware variants coincides with their original
compile timestamps, starting with the oldest. Please note that these variant labels may
not coincide with naming conventions created by the antivirus industry.
While each variant uses distinct mechanisms for infecting the system and remaining
persistent between reboots, all three variants share the following common attributes:
•An encrypted binary configuration data structure containing a list of C2
servers to contact.
•A campaign identifier, such as ‘jessica-cpt-app’ or ‘370my0216’, which
identifies the specific malware reporting to the C2 server.
•C2 communications using a custom format delivered over HTTP or HTTPS.
•Performs basic network reconnaissance upon installation and reports findings
to C2 server.
Each variant of Elise contains the functionality to perform the following tasks:
•Execute commands, DLLs, or executables
•Write Files
•Read Files
•Update Configuration
•Upload Configuration Data
+
12
Variant A
The first variant of Elise identified by Unit 42 has a compile date set in mid-2012.
This particular variant has a configuration size of 1480 and the ability to install itself
as either a service or executable. Variant ‘A’ is delivered via a dropper executable file,
which differs from later variants that are typically deployed with a malicious Microsoft
Office document.
When executed, the malware will configure itself for deletion upon reboot, using the
MoveFileExA function, as seen below.
MoveFileExA(self, 0, MOVEFILE_DELAY_UNTIL_REBOOT);
Readers may recall seeing this technique used by the Microsoft Excel shellcode
identified in the Vietnam campaign. The malware proceeds to extract and decrypt an
embedded DLL to the following location.
• %APPDATA%\Microsoft\Network\mssrt32.dll
The following algorithm is used to encrypt/decrypt the embedded DLL:
void decrypt_string(char *encrypted, int size)
{
int i;
if ( encrypted )
{
for ( i = size - 1; i > 0; --i )
encrypted[i] ^= encrypted[i - 1];
*encrypted ^= 0x15;
}
}
Prior to writing this DLL to disk, the malware will write the encrypted configuration to
this DLL. The following Python code may be used to decrypt this configuration:
from ctypes import *
from struct import *
import sys
fh = open(sys.argv[1], ‘rb’)
fd = fh.read()
fh.close()
cdll.msvcrt.srand(2014)
out = “”
for x in fd:
out += chr(ord(x) ^ (cdll.msvcrt.rand() % 128))
print repr(out)
+
13
The malware proceeds to configure the mssrt32.dll DLL as a service. This service
is configured with properties specified in the malware’s configuration. The following
example was identified in one of the samples analyzed.
Service Name
MSCM
Display Name
Microsoft Security Compliance Manager
Description
The service provides centralized security baseline management features, a
baseline portfolio, customization capabilities, and security baseline export
flexibility to accelerate your organization¡¯s ability to efficiently manage
the security and compliance process for the most widely used Microsoft
technologies.
Image Path
%SystemRoot%\System32\svchost.exe -k MSCM
Service DLL
%APPDATA%\Microsoft\Network\mssrt32.dll
Service Main
ESEntry
This service is then manually started using a call to the StartServiceA function.
Should the installation of this newly created service fail, the malware will instead
write an executable to the following location:
• %APPDATA%\Microsoft\Network\svchost.exe
The name of this executable is specified within the malware’s configuration data.
This file is embedded and dropped in the same manner the mssrt32.dll file was
previously. Persistence for this executable is set via the following registry key:
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost :
%APPDATA%\Microsoft\Network\svchost.exe
Finally, this executable is run via a call to the ShellExecuteW function.
This dropped DLL or executable contains the actual Elise malware. When run, it will
begin by deleting the following file should it exist:
•%TEMP%\000ELISEA350.TMP
This file will be used going forward to store any log data generated by Elise. The
malware writes its encrypted configuration to one of the following locations:
• %APPDATA%\Microsoft\Network\6B5A4606.CAB
+
14
The following script can decrypt and parse the CAB file:
import sys
def decrypt(data):
out = “”
for x in data:
return out
def parse_config(out):
identifier, \
compile_time, \
unknown1, \
sleep_timer, \
unknown_bool, \
campaign, \
c1, c2, c3, c4, c5, \
unknown_bool2, \
unicode_exe_name, \
service_name, \
registry_service_name, \
display_name, \
service_description = unpack(“40siiib20s50s50s50s50s50sb40s20s20s50
s700s”,
out[0:1154])
print “Config Identifier
: %s” % identifier
print “Compile Time
: %s” % compile_time
print “Unknown DWORD
: %s” % unknown1
print “Sleep Timer
: %s” % sleep_timer
print “Unknown Bool Value : %s” % unknown_bool
print “Campaign
: %s” % campaign
print “Command and Control : %s” % c1
print “Unknown Bool Value 2 : %s” % unknown_bool2
print “Service Executable : %s” % unicode_exe_name.replace(“\x00”,’’)
print “Service Name
: %s” % service_name
print “Registry Service Name : %s” % registry_service_name
print “Service Display Name : %s” % display_name
print “Service Description : %s” % service_description
data = fh.read()
fh.close()
parse_config(decrypt(data))
+
15
The malware proceeds to enter in a loop, where it will attempt to communicate with the specified URLs via
HTTP or HTTPS. It initially sends the following GET request to the C2 servers specified in its configuration:
GET /<param1>/page_<param2>.html HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Host: <C2 Server>
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
In the request above, the <param1> parameter is determined using the last four octets of the victim’s MAC
address. For example, if the victim’s MAC address was 00-11-22-33-44-55-66, this parameter would become
‘2233445566’. The <param2> parameter is randomly generated using the current time as a seed. This results in
a unique request being made every time.
When an initial communication is made to the remote server, the malware will execute the following
commands to conduct basic network reconnaissance:
• net user
• ipconfig /all
• net start
• systeminfo
Elise uses a series of cookie values in order to exfiltrate data, as seen below.
FIGURE 15 + Elise Variant A POST Request.
+
16
Data contained within these cookies is Base64-encoded. Once decoded and joined,
the data has the following structure.
FIGURE 16 + Elise Variant A Data Encoding.
Variant B
The second variant (B) of Elise has compile timestamps dating back to July 2012.
Variant B has a configuration data structure size of 324 bytes. It is often delivered via
a file exploiting a client-side vulnerability, such as CVE-2012-0158.
When originally installed on a victim machine, the client-side exploit shellcode will
drop two files — an executable file and a DLL. The executable is then run in a newly
spawned process. This executable file loads the second exported function of the
DLL via the function’s ordinal value. This exported function is commonly called either
‘CsOptionsHandle’ or ‘ESHandle’.
When this function is called, this Elise variant will begin by decrypting its 324-byte
configuration structure. The following Python code may be used to decrypt and parse
this configuration:
import sys
def decrypt(data):
out = “”
for x in data:
return out
compile_time, \
unknown1, \
sleep_timer, \
unknown_bool, \
campaign, \
c1, c2, c3, c4, c5, \
unknown_bool2, \
unknown_string = unpack(“iiib20s50s50s50s50s50sb40s”, out)
: %s” % unknown1
print “Campaign
: %s” % campaign
+
17
print “Unknown Bool Value 2 : %s” % unknown_bool2
print “Unknown Unidoce String : %s” % unknown _string.replace(“\
x00”,’’)
data = fh.read()
fh.close()
As we can see, this variant of Elise uses the same encryption/decryption routine
for its configuration data as variant A. The malware proceeds to create one of the
following files that will be used to store this configuration data:
•%APPDATA%\Microsoft\IMJP8_1\8S3N0PW7.dat
•%APPDATA%\\Microsoft\IMJP8_1\26TXNK4F.dat
One of the more interesting features of this variant is its ability to detect either a
VMware® or VirtualPC virtual environment, as we see below.
FIGURE 17 + Elise Variant B virtual environment check.
Should the malware detect it is running within either of these environments, it will
not perform any malicious activity going forward. Otherwise, it proceeds to configure
persistence across reboots by setting the following registry key:
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self]
+
18
When initially run, Elise variant B will also execute the following commands on the
victim machine:
• ipconfig /all
• net start
• dir C:\progra~1
•systeminfo
These command strings are obfuscated within the malware, using the following
algorithm:
char* decrypt_string(char *encrypted, int size)
{
int i;
char *result;
for ( i = 0; i < size; ++i )
{
result = &encrypted[i];
*result ^= 0x1Bu;
}
return result;
}
Exfiltration for variant B uses the same technique used in variant ‘A’. Base64-encoded
cookie values are used to exfiltrate data, as seen below.
The structure of this base64-decoded data remains the same as well. The following
structure is used in variant ‘B’.
FIGURE 18 + Elise Variant B POST Request
+
19
FIGURE 19 + Elise Variant B Data Encoding
Variant C
The third variant of Elise has its earliest compile timestamp in mid-2013 and has been
used in attacks periodically since that time. This variant has been the most prevalent
overall, accounting for roughly 75 percent of all samples identified by Unit 42. The
most recent sample of variant C was compiled in late March of 2015. Additionally,
variant C uses a 336-byte configuration structure.
Similar to variant B, variant C is often delivered via a file exploiting a client-side
vulnerability, such as CVE-2012-0158. This particular variant is delivered as a single
DLL with two exported functions — ‘Setting’ and ‘Update’
When the ‘Setting’ export is called, the malware will copy itself to the following
location:
• %APPDATA%\Microsoft\Network\rasphone.dll
This new file is then called via the following command:
• Rundll32.exe %APPDATA%\Microsoft\Network\rasphone.dll,Update
When the ‘Update’ export is called on rasphone.dll, the malware will begin by checking
if a debugger is attached via a call to IsDebuggerPresent(). In the event it is not
detected, the malware will then check to ensure the DLL has been loaded by Rundll32.
exe by comparing the current filename against ‘dll32’. rasphone.dll uses a simple string
encryption routing. The following code can decrypt encountered strings: void decrypt_string(char *encrypted, int size) {
int i;
if ( encrypted )
{
for ( i = size - 1; i > 0; --i )
encrypted[i] ^= encrypted[i - 1];
*encrypted ^= 0xA0;
}
}
+
20
The malware continues to identify the location of iexplore.exe (%PROGRAM FILES%\
Internet Explorer\iexplore.exe) and spawn a new instance of this process. The malware
will proceed to inject itself into iexplore.exe. Finally, the malware will decrypt an
embedded DLL located in its resource section (‘XDATA’) and write this DLL to a new
section of memory in iexplore.exe. A configuration blob of 336 bytes is subsequently
written to this DLL, and the DLL is loaded into iexplore.exe via a call to LoadLibraryA.
The injected DLL (hereafter referred to as xdata) begins by spawning a new
thread where all further actions will be taken. The malware writes its encrypted
configuration to the following location:
The following script can be used to decrypt this CAB file.
import sys
def decrypt(data):
str_len = len(data) - 1
out = “”
while(str_len > 0):
str_len -= 1
if str_len == 0:
break
out = chr(ord(data[str_len]) ^ ord(data[str_len-1])) + out
out = chr(ord(data[0]) ^ 0xA0) + out
return out
compile_time, \
unknown1, \
sleep_timer, \
unknown_bool, \
campaign, \
c1, c2, c3, c4, c5, c6 = unpack(“iiib20s50s50s50s50s50s50s”, out[0:333])
: %s” % unknown1
print “Campaign
: %s” % campaign
data = fh.read()
fh.close()
+
21
Additionally, this CAB file is “time stomped” to a Create/Modify time of Sunday,
November 21, 2010, 10:29:33 UTC. This malware also writes to a log file located at
the following path.
• %TEMP%\00EL225AF.TMP
Data in this file is not obfuscated or encrypted in any way. The malware proceeds
to enter in a loop, where it will attempt to communicate with the specified URLs
via either HTTP or HTTPS. The following has been identified about the structure of
the binary data submitted via POST requests. This structure is consistent with all
previous Elise variants discussed.
FIGURE 20 + Elise Variant C Data Encoding.
When an initial communication is made to the remote server, the malware will
execute the following commands to conduct basic network reconnaissance:
• net user
• ipconfig /all
• net start
• systeminfo
This data is exfiltrated using a POST request, as seen below.
FIGURE 21 + Elise Variant C POST Request.
In the above example, the ‘2320’ value in the URI is generated using the victim’s
MAC address. The ‘00320511’ value in the URI is generated using the current time.
This allows each request to be unique and also identify the victim machine.
+
22
Previous Research
Multiple research groups have mentioned the Elise backdoor in publicly available
reports. This section highlights some of those to help readers connect this campaign
to previously known attacks.
In 2013, Xecure Labs and Academia Sinica published a joint paper, and they delivered
a presentation at BlackHat in which they identified Elise as part of a larger group of
tools they referred to as the “LStudio,” “ST Group” and “APT0LSTU.” The research
team noted that Elise and other related tools had been used primarily in attacks on
Taiwan (Figure 22), but also against the United States, Canada and other nations.
FIGURE 22 + Slide 30 from BlackHat presentation showing Elise target.
Trend Micro refers to Elise as BKDR_ESILE, making a slight modification to the
author’s chosen name. Trend Micro first reported on Elise in their 2013 2H targeted
Attack Trends report ii. Since then, they have referenced that paper in multiple blogs
and reports iii iv v. This research indicates that the majority of attacks using Elise also
targeted government organizations in the Asia Pacific region.
FireEye refers to Elise as the “Page” malware, because early versions of the Trojan
use the word “page” in their Command and Control URLs. FireEye first noted an
Elise attack in September 2012, which involved a targeted spear phishing attack
against the aviation defense industry vi. FireEye later noted Elise was delivered in an
attack using a lure related to the crash of Malaysian Airlines flight 370 vii.
+
23
Conclusion
Operation Lotus Blossom represents a long-term campaign targeting government
and military organizations in several nations of Southeast Asia conducted by a
persistent attack group. We traced the earliest of these attacks to 2012, and the most
recent occurred during the course of writing this paper. In one case, the targeted
organization received 20 separate email attacks carrying Elise exploit files over the
course of eight weeks.
While we cannot attribute these attacks to those of a specific nation state, the
pattern indicates a highly persistent adversary with the ability to develop custom
tools, and maintain command and control infrastructure, over a long period of time.
This evidence is consistent with a nation state adversary with a strong interest in the
militaries of Southeast Asian nations.
Lotus Blossom may deploy additional tools beyond the Elise backdoor detailed in this
report, after the group has achieved a foothold in the network. Related tools used by
the group include those known as “LStudio,” and Evora.
Unit 42 initially identified the attacks described in this report using Palo Alto Networks
AutoFocus platform, which quickly enables analysts to find connections between
malware samples analyzed by our WildFire system. We combined this data with open
source intelligence to gather additional samples, which broadened the scope of our
analysis. We have tagged all of these samples, and the infrastructure used in this
campaign, within AutoFocus, using the tags Elise and LotusBlossom respectively.
WildFire correctly identifies Elise executables, as well as the exploit files used in
Lotus Blossom attacks, as malicious. We have released IPS signature 14358 in
response, which detects command and control traffic generated by Elise.
+
24
Appendix
Elise Sample Details
SHA256
a28d6d7ac530753bb2ebfe1a9e9bd60269e6d227dec555e538cc36a6decf29f
Campaign Code
PYQ
Command and Control
59.6.2[.]16
cpcl2006.dyndns-free[.]com
shotacon.dyndns[.]info
petto.mooo[.]com
kid.dyndns[.]org
SHA256
949c9457a6c77e7e7f1519435149183c56eb53f7d74439fb848b5d6d91196a73
Campaign Code
PYQ
Command and Control
59.6.2[.]16
shotacon.dyndns[.]info
petto.mooo[.]com
kid.dyndns[.]org
SHA256
712c488950f27e98bc4ebe5b63e5775498236a179cb4576bf021f8e6e6de0df4
Campaign Code
MYGHOST
Command and Control
50.7.11[.]10
www3.bkav2010[.]net
SHA256
b9681c178e087140344e6aec2630c61f6a7be92e97ebbe7ce10528f6f0e6028f
Campaign Code
yxz-tw
Command and Control
184.22.44[.]209
kjd.dyndns[.]org
202.82.202[.]228
wsi.dyndns[.]org
SHA256
dc61e089eebf6fa1b3abf637ce105e0d20666aa52d9001f5fd5034815331cd61
Campaign Code
340_typhoon
Command and Control
beckhammer.xicp[.]net
122.10.89[.]84
SHA256
6eae10f0b9a62a26b19897f7ba627f92e93e458034939f55f2001835c0e1f1be
Campaign Code
llmacau
Command and Control
202.82.91[.]139
218.103.16[.]153
203.218.138[.]30
103.246.245[.]146
+
25
SHA256
8c2cd914de7c125e49019f3826918511150ee4fff8a923da350a99c102b36455
Campaign Code
yxz-kjhkjsxy
Command and Control
184.22.44[.]209
kjd.dyndns[.]org
202.82.202[.]228
wsi.dyndns[.]org
SHA256
a8e0ab6b19400eccd3c9aceb183fe7626d5bde7bdf9b8ec8825aa17cc3a213a3
Campaign Code
340_typhoon
Command and Control
122.10.89[.]84
SHA256
e9971de22a922678fc216e9e3923c7e6b21455ddfbb24eb46e50e1cc7ceacc31
Campaign Code
demo
Command and Control
122.10.89[.]84
122.10.89[.]85
SHA256
0752bbdb0c51a519f17a62dd30a033c224c82168522f2c88949b1a0afc8f9037
Campaign Code
340-0226
Command and Control
harryleed.dyndns[.]org
verolalia.dyndns[.]org
jackyson.dyndns[.]info
scristioned.dyndns-web[.]com
173.231.49[.]98
SHA256
4780442f3cc8d3e1888aa6cecbb05d0c49a6755964eba7a8a6a36d6d2a0ef881
Campaign Code
yxz-tw
Command and Control
wsi.dyndns[.]org
202.82.202[.]228
kjd.dyndns[.]org
184.22.44[.]209
SHA256
bae07b0c3e4e96731360dc4faa49c0d4abe4d3705e768393f21661c82dea13f3
Campaign Code
Alice_vishipel
Command and Control
www.serchers[.]net
142.91.252[.]130
www.aliancesky[.]com
58.64.183[.]92
SHA256
7e386ff64be78af18f8a79d01cb75b0438cbcee4647e0a928100bd52ee56db76
Campaign Code
G140509ZA01
Command and Control
46.251.237[.]59
www.tintuchoahau[.]com
+
26
SHA256
866c698073e4deb66dd83c1ec9567ec03eca9f03775deadb81cc59fdb6cfd446
Campaign Code
310-pyq
Command and Control
cybertunnel.dyndns[.]info
newshappys.dyndns-blog[.]com
www.imonju[.]com
www.serchers[.]net
202.82.202[.]228
SHA256
edb45f03dfd52ab58f163ad2ca48f4bc9c4bcb72ea9181d0e0a1d87859f707a6
Campaign Code
370mymm
Command and Control
122.10.89[.]84
122.10.89[.]85
SHA256
3d2c6d48425212eabb886c2e7e89249e4aa8cf4ad9ec3dd22cafb4f879683d8b
Campaign Code
340-dfa-520
Command and Control
phil-gov.gotdns[.]org
asean-star[.]com
aseansec.dynalias[.]org
113.10.136[.]18
SHA256
d9174d6bbcb51d3df186794109cd6b2036f6231cf8733290eadd399bf8137055
Campaign Code
340-0528
Command and Control
phil-army.gotdns[.]org
asean-star[.]com
113.10.136[.]18
SHA256
30f1f7e848c79212f70794d718d0f3929c24e0f3d28695a7c85a85c77ab7aac9
Campaign Code
310-pyq
Command and Control
cybertunnel.dyndns[.]info
newshappys.dyndns-blog[.]com
www.imonju[.]com
www.serchers[.]net
202.82.202[.]228
SHA256
39dd2381bcd0f47dadf23399254bf1b51a837179e5634328afafe07510f5888a
Campaign Code
340-0528
Command and Control
phil-army.gotdns[.]org
asean-star[.]com
113.10.136[.]18
SHA256
e2181b3d47feb5a321fe3b85b08a0245a1e0824b213e568fa4736d529fd5f8c2
Campaign Code
731
Command and Control
usa-moon[.]net
23.234.63[.]197
+
27
SHA256
c19d3242d43c71f03f5873231444c12a6a11892dd7f0142ff10479f1f718382d
Campaign Code
key0730
Command and Control
usa-moon[.]net
23.234.63[.]197
SHA256
24bb8e48f37cbd71b2195cff4f52ec304a2ed9d60c28d2afd785e6f32639325f
Campaign Code
bio
Command and Control
usa-moon[.]net
23.234.63[.]197
SHA256
65c901b19e2eec6b8392100c1073253641a95dd542f39c9ca95755e8a2afde14
Campaign Code
Alice_Spider
Command and Control
58.64.183[.]92
www.serchers[.]net
162.211.181[.]107
SHA256
34943d8718d35a633bafefb6f113b3486945ec7dcd19bde11ca3c29feed44af3
Campaign Code
HKDLS
Command and Control
101.55.121[.]47
27.255.64[.]231
www.iascas[.]net
59.188.247[.]32
SHA256
400148084474b709a060b844966cf75301d5f2c2b8ae1048f37f634073ead630
Campaign Code
FUCKU
Command and Control
101.55.121[.]47
118.193.212[.]61
www.seachers[.]net
SHA256
61a66afac2702276f6bba2cfcab58198fced893ad1da27aef228259869f5383f
Campaign Code
FUCKU
Command and Control
101.55.121[.]47
118.193.212[.]61
www.seachers[.]net
SHA256
6f039f217d8b3bf6686e298416f084884b9a7ec0ee51f334ecc3f5a2da9145a8
Campaign Code
FUCKU
Command and Control
101.55.121[.]47
118.193.212[.]61
www.seachers[.]net
SHA256
eae4b429b0b732d49750400e70caef579450d0651373440f536de71d6134c173
Campaign Code
FUCKU
Command and Control
101.55.121[.]47
118.193.212[.]61
www.seachers[.]net
+
28
SHA256
8f7c74a9e1d04ff116e785f3234f80119d68ae0334fb6a5498f6d40eee189cf7
Campaign Code
HKDLS
Command and Control
101.55.121[.]47
27.255.64[.]231
www.iascas[.]net
59.188.247[.]32
SHA256
a462085549f9a1fdeff81ea8190a1f89351a83cf8f6d01ecb5f238541785d4b3
Campaign Code
FUCKU
Command and Control
101.55.121[.]47
118.193.212[.]61
www.seachers[.]net
SHA256
Campaign Code
mm-0807
Command and Control
www.imonju[.]net
61.58.31[.]102
202.77.181[.]179
SHA256
96356db43d7e9a5c3c4e3f9f7ee9a3dba14ad1c7db7367b7f6d664db4f0ef5d7
Campaign Code
jessica-cpt-app
Command and Control
www.serchers[.]net
162.211.181[.]107
58.64.183[.]92
SHA256
bd78e106f208cbb8ea9e5902d778514f1fc2d15876fca292971c6695541889a3
Campaign Code
jessica-cpt-app
Command and Control
www.serchers[.]net
162.211.181[.]107
58.64.183[.]92
SHA256
96410865d46cda89c7c34c60d485c2378a98acbba7ead5ada90daa02a94ba299
Campaign Code
Alice_erpas
Command and Control
www.boshman09[.]com
www.chris201[.]net
58.64.183[.]92
SHA256
a98db2098fe9e3e203bed8318ae1d71e8a7b68f801613be10f3917baad7b49b2
Campaign Code
jessica-cpt-app
Command and Control
www.serchers[.]net
162.211.181[.]107
58.64.183[.]92
+
29
SHA256
233af642b3e22613551e087a7cefcf2a530752da6613efc52da7cb957cb8f0f3
Campaign Code
KITY090901
Command and Control
46.251.237[.]59
SHA256
b1e30dd3ad2c3290adad848f7199e03f365ecf484c44c6c7eaf42f6b323cd30b
Campaign Code
KITY090901
Command and Control
46.251.237[.]59
SHA256
9a226eeae1fc51a2bc2e72b098d5654238d0cc8eae29c0cdaacb49ae9d997d04
Campaign Code
QY030610
Command and Control
95.154.195[.]152
www.vienclp[.]com
SHA256
463c6c6ffb8ecf2df44e294818dd500457807ff126dd658c5fe329c09f43a6e0
Campaign Code
KITY01232
Command and Control
95.154.195[.]152
www.vienclp[.]com
SHA256
3a806f8efa338c871b1338a5db8af4128012559d09b06ab997db50a0f90434b1
Campaign Code
KITY01232
Command and Control
95.154.195[.]152
www.vienclp[.]com
SHA256
8ce0b29202f3df23ce583040e2ffe79af78e0bb375ce65ec37a6ffe7d49b5bb5
Campaign Code
QY030610
Command and Control
95.154.195[.]152
www.vienclp[.]com
SHA256
2551f95845ad83ebc56853442bb75c11517e99fe0196ecb30f80e5b203c9a9ff
Campaign Code
QY030610
Command and Control
95.154.195[.]152
www.vienclp[.]com
SHA256
e4a460db653c8df4223ec466a0237943be5de0da92b04a3bf76053fa1401b19e
Campaign Code
QQQQQ
Command and Control
boshman09[.]com
chris201[.]net
58.64.183[.]92
+
30
SHA256
0adbf0f6a5c21054e569b2ef68c8c6ae7834a0700672c1f3ec6e50daf49a3a94
Campaign Code
oyf
Command and Control
www.boshman09[.]com
www.chris201[.]net
210.209.79[.]29
SHA256
49bf19bd2381f5c78eb2d00a62e1b377620705dba0fa843fb8c8d26d92ec52e4
Campaign Code
36-SC-0114
Command and Control
103.244.91[.]16
162.211.181[.]26
101.55.120[.]165
newinfo32.eicp[.]net
SHA256
9e5c286fcc47c8346267574ea805cde24b04915f5372f03923c0d6a13290e0ea
Campaign Code
36-SC-0127
Command and Control
www.interhero[.]net
101.55.120[.]165
101.55.120[.]153
www.babysoal[.]com
SHA256
0201aaa8eda6dedc6c90381e225620cd33fb7b244f76bf229c3dd43feb9bdeaf
Campaign Code
Alice_rosey
Command and Control
210.209.127[.]8
www.boshman09[.]com
www.chris201[.]net
45.64.113[.]130
SHA256
f0304a1f7d87ac413f43a815088895872be0045a33c5f830b4b392a7ce5b8c46
Campaign Code
340-dfa-1007
Command and Control
usa-moon[.]net
aseaneco[.]org
103.28.46[.]96
SHA256
fd6302a152b0a2eff84b6ef219db5d79b6039043dfd5799ac9a4a0cced58e8bd
Campaign Code
370my0216
Command and Control
113.10.222[.]157
www.tgecc[.]org
SHA256
00c0e0c14835c08d220ef27ef6324df86880167d416ff7183d7df241ffebc3f8
Campaign Code
ooo
Command and Control
www.boshman09[.]com
www.chris201[.]net
210.209.79[.]29
+
31
SHA256
8e180a9d7f233c189519bbfa2b649ca410c4869457e0cf8396beb82ffbffd05c
Campaign Code
ooo
Command and Control
www.boshman09[.]com
www.chris201[.]net
210.209.79[.]29
SHA256
b0ffb80762f25935415a7ffd6b9402a23c2b6b4dc4921419ef291160cf7f023b
Campaign Code
Alice_15A
Command and Control
210.209.127[.]8
www.boshman09[.]com
www.chris201[.]net
SHA256
093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a
Campaign Code
Alice_rosey
Command and Control
210.209.127[.]8
www.boshman09[.]com
www.chris201[.]net
45.64.113[.]130
SHA256
8e7c198e1eaa5be2d1415be3001c217634ae207b8f912e9a84af6c6016aa467e
Campaign Code
ooo
Command and Control
www.boshman09[.]com
www.chris201[.]net
210.209.79[.]29
SHA256
97d6699e449ddad97cc33e380a4873a7ceb0e8f0f50b5c8f72e6a4ff3dd1009f
Campaign Code
phone
Command and Control
usa-moon[.]net
aseaneco[.]org
103.252.19[.]13
SHA256
b53f98c113e7f72ff5170dcdb2ab2b1c15a02aadb72b2d2710d899aea9b875bd
Campaign Code
phone
Command and Control
usa-moon[.]net
aseaneco[.]org
103.252.19[.]13
SHA256
b2232492776267599307309e9d8874aac25e7cb31b155b0ca05349312690372f
Campaign Code
cyd-zc
Command and Control
101.55.121[.]47
118.193.212[.]61
SHA256
64ffe128c61289bec90057c7bf3ff869c329ffcb1afa4c4cd0daed1effabf105
Campaign Code
cyd-zc
Command and Control
101.55.121[.]47
118.193.212[.]61
+
32
Elise Executable SHA256 values
0201aaa8eda6dedc6c90381e225620cd33fb7b244f76bf229c3dd43feb9bdeaf
1333a300b03fb2d7bf028f4dee3d9b1f9c97267266faec9e02064862fbb6acb4
135e37122c23f26fed98b3bc884171c91c370250a73c6660b20416497b66a750
24bb8e48f37cbd71b2195cff4f52ec304a2ed9d60c28d2afd785e6f32639325f
2c2eb2eaadf9253a78265ac4655a6ec5935aa2673ff5e4fe3bb6753803c7fe59
2c512b50f8aa0881120d844b0bbbf7baa33465083fdc85755d51d1b5721bc057
2d43632953b511e1f1c7698de3c21b2ba7c27b75bb6079f51dcf9376e05e42b7
376c3ea59411380ab5146b3bc39ee79cf7f78b08dd712ef1cc5327bda5a2e46b
39dd2381bcd0f47dadf23399254bf1b51a837179e5634328afafe07510f5888a
3eb115f4eb62c4404be1a318afa3837bdba8fd66938efe15664741d942a85add
49bf19bd2381f5c78eb2d00a62e1b377620705dba0fa843fb8c8d26d92ec52e4
4de470147d90efbb440aa4420a5832b4f22f9f6128183568fe604df6427cc06b
4ff70adad080095421f34873e491c9da2e798f8db96a984f87efb9889d246fcb
5960d8f8b26edb453926efbd424332eabc0e1a74e25dbc1e9a570cc5920c8830
64ffe128c61289bec90057c7bf3ff869c329ffcb1afa4c4cd0daed1effabf105
712c488950f27e98bc4ebe5b63e5775498236a179cb4576bf021f8e6e6de0df4
7b2d470b9c6159c97cef2634493be0e4f2994f43501605a14d4c5a7efdeac3ba
7e386ff64be78af18f8a79d01cb75b0438cbcee4647e0a928100bd52ee56db76
840d18698ff0b114ee587f57231001d046fbd1eb22603e0f951cbb8c290804ed
866c698073e4deb66dd83c1ec9567ec03eca9f03775deadb81cc59fdb6cfd446
899730962e10546c9d43a9ffa79d900fd37c0d17f95aa537b67d31aa737447b5
8b4446cfaee549072c5da2468af7b9fec711f2d28851a3e8076fcfb53393a415
8c2cd914de7c125e49019f3826918511150ee4fff8a923da350a99c102b36455
8ce0b29202f3df23ce583040e2ffe79af78e0bb375ce65ec37a6ffe7d49b5bb5
8f7c74a9e1d04ff116e785f3234f80119d68ae0334fb6a5498f6d40eee189cf7
90296f0ecacc017bcf289297f5743660dd18bbc2842e631e9be4b2dc51732412
96356db43d7e9a5c3c4e3f9f7ee9a3dba14ad1c7db7367b7f6d664db4f0ef5d7
97d6699e449ddad97cc33e380a4873a7ceb0e8f0f50b5c8f72e6a4ff3dd1009f
9e5c286fcc47c8346267574ea805cde24b04915f5372f03923c0d6a13290e0ea
a462085549f9a1fdeff81ea8190a1f89351a83cf8f6d01ecb5f238541785d4b3
b5a1f7e9d0d6d3bec17674610a3b26991083e1e3cb81729714b69c18038a902f
bd78e106f208cbb8ea9e5902d778514f1fc2d15876fca292971c6695541889a3
d68a90fbe579a8199d78ef9ca001301e2c55a3015d4e3df3c238c276ed7cc1ce
dc06012b4aef457efb0ecb9cdca579bb573823a1a63bb7a2ba92c7ce0c2ddbfb
e2181b3d47feb5a321fe3b85b08a0245a1e0824b213e568fa4736d529fd5f8c2
e4a460db653c8df4223ec466a0237943be5de0da92b04a3bf76053fa1401b19e
edb45f03dfd52ab58f163ad2ca48f4bc9c4bcb72ea9181d0e0a1d87859f707a6
f0304a1f7d87ac413f43a815088895872be0045a33c5f830b4b392a7ce5b8c46
f307280077b2a60d991a68c5700cbc57fe0ab6ec005caba0b0bcca4dbc5a1e2f
fb506b8dd4025e247ac2fa12ffd46fd1cb6a06a138995a5cbda49074d567f615
fd2d9011ec860ba211d169063248d13d17425f210ff87a6c5a610b4704866339
+
33
Elise Delivery Document SHA256 values
9a226eeae1fc51a2bc2e72b098d5654238d0cc8eae29c0cdaacb49ae9d997d04
7e917319e2af9457c35afbb539c09233da2e02d6a64f970706dae9f6c3c791eb
c19d3242d43c71f03f5873231444c12a6a11892dd7f0142ff10479f1f718382d
dc61e089eebf6fa1b3abf637ce105e0d20666aa52d9001f5fd5034815331cd61
fd6302a152b0a2eff84b6ef219db5d79b6039043dfd5799ac9a4a0cced58e8bd
e9971de22a922678fc216e9e3923c7e6b21455ddfbb24eb46e50e1cc7ceacc31
d9174d6bbcb51d3df186794109cd6b2036f6231cf8733290eadd399bf8137055
b53f98c113e7f72ff5170dcdb2ab2b1c15a02aadb72b2d2710d899aea9b875bd
b2232492776267599307309e9d8874aac25e7cb31b155b0ca05349312690372f
463c6c6ffb8ecf2df44e294818dd500457807ff126dd658c5fe329c09f43a6e0
3d2c6d48425212eabb886c2e7e89249e4aa8cf4ad9ec3dd22cafb4f879683d8b
093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a
b0ffb80762f25935415a7ffd6b9402a23c2b6b4dc4921419ef291160cf7f023b
8e180a9d7f233c189519bbfa2b649ca410c4869457e0cf8396beb82ffbffd05c
8e7c198e1eaa5be2d1415be3001c217634ae207b8f912e9a84af6c6016aa467e
00c0e0c14835c08d220ef27ef6324df86880167d416ff7183d7df241ffebc3f8
0adbf0f6a5c21054e569b2ef68c8c6ae7834a0700672c1f3ec6e50daf49a3a94
96410865d46cda89c7c34c60d485c2378a98acbba7ead5ada90daa02a94ba299
a98db2098fe9e3e203bed8318ae1d71e8a7b68f801613be10f3917baad7b49b2
b1e30dd3ad2c3290adad848f7199e03f365ecf484c44c6c7eaf42f6b323cd30b
4780442f3cc8d3e1888aa6cecbb05d0c49a6755964eba7a8a6a36d6d2a0ef881
bae07b0c3e4e96731360dc4faa49c0d4abe4d3705e768393f21661c82dea13f3
65c901b19e2eec6b8392100c1073253641a95dd542f39c9ca95755e8a2afde14
30f1f7e848c79212f70794d718d0f3929c24e0f3d28695a7c85a85c77ab7aac9
0752bbdb0c51a519f17a62dd30a033c224c82168522f2c88949b1a0afc8f9037
b9681c178e087140344e6aec2630c61f6a7be92e97ebbe7ce10528f6f0e6028f
6eae10f0b9a62a26b19897f7ba627f92e93e458034939f55f2001835c0e1f1be
+
34
Lotus Blossom Command and Control Servers
101.55.120.153
101.55.120.165
101.55.121.47
103.244.91.16
103.246.245.146
103.252.19.13
103.28.46.96
113.10.136.18
113.10.222.157
118.193.212.61
122.10.89.84
122.10.89.85
142.91.252.130
162.211.181.107
162.211.181.26
173.231.49.98
184.22.44.209
202.77.181.179
202.82.202.228
202.82.91.139
203.218.138.30
210.209.127.8
210.209.79.29
218.103.16.153
23.234.63.197
27.255.64.231
45.64.113.130
46.251.237.59
50.7.11.10
58.64.183.92
59.188.247.32
59.6.2.16
61.58.31.102
95.154.195.152
asean-star.com
aseaneco.org
aseansec.dynalias.org
beckhammer.xicp.net
boshman09.com
chris201.net
cpcl2006.dyndns-free.com
cybertunnel.dyndns.info
harryleed.dyndns.org
jackyson.dyndns.info
+
35
kid.dyndns.org
kjd.dyndns.org
newinfo32.eicp.net
newshappys.dyndns-blog.com
petto.mooo.com
phil-army.gotdns.org
phil-gov.gotdns.org
scristioned.dyndns-web.com
shotacon.dyndns.info
usa-moon.net
verolalia.dyndns.org
wsi.dyndns.org
www.aliancesky.com
www.babysoal.com
www.boshman09.com
www.chris201.net
www.iascas.net
www.imonju.com
www.imonju.net
www.interhero.net
www.seachers.net
www.serchers.net
www.tgecc.org
www.tintuchoahau.com
www.vienclp.com
www3.bkav2010.net
i
Triangle of Life. Snopes. December, 2009. http://www.snopes.com/inboxer/household/triangle.asp
ii
Targeted Attack Trends 2013 2H. Trend Micro Inc. May 19, 2014.
http://www.itu.int/en/ITU-D/Cybersecurity/Documents/2H_2013_Targeted_Attack_Campaign_Report.pdf
iii
Targeted Attack Trends in Asia-Pacific. Trend Micro Inc. Nov. 20, 2014. http://www.trendmicro.co.in/in/
cloud-content/apac/pdfs/security-intelligence/reports/rpt-1h-2014-targeted-attack-trends-in-asia-pacific.pdf
iv
BKDR_ESILE.SMEX. Trend Micro Inc. May 28, 2013.
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_ESILE.SMEX
v
ESILE Targeted Attack Campaign Hits APAC Governments. Trend Micro Inc. July 28, 2014.
http://www.trendmicro.com.my/vinfo/my/security/news/cyber-attacks/
esile-targeted-attack-campaign-hits-apac-governments
vi
Analysis of Malware Page. Singh, Abhishek. Sept. 12, 2012.
https://www.fireeye.com/blog/threat-research/2012/09/analysis-of-malware-page.html
vii
Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight
MH 370. Moran, Ned & Lanstein, Alex https://www.fireeye.com/blog/threat-research/2014/03/
spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html
4401 Great America Parkway
Santa Clara, CA 95054
Main:+1.408.753.4000
Sales:
+1.866.320.4788 Support:+1.866.898.9087
www.paloaltonetworks.com
Copyright ©2015, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks,
the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of
Palo Alto Networks, Inc. All specifications are subject to change without notice.
Palo Alto Networks assumes no responsibility for any inaccuracies in this document
or for any obligation to update information in this document. Palo Alto Networks
reserves the right to change, modify, transfer, or otherwise revise this publication
without notice. PAN_WP_U42_OLB_061515

Operation Lotus Blossom

Transcription

Similar documents

4Lamisil: “Digger.” An animated dermatophyte drove Novartis

Plan Preliminar de Mercadeo

A-4 ICANAFFORDCOLLEGE

dtc advertising that kicks badonkadonk

Campaigns and actions: some recent Dutch experiences

First zero carbon store in Thailand (Kom Chad Luek 15/02/2012

Fredrik Strauss: Automated Optimization of Online Advertising

General McClellan`s peninsula campaign - My

Sir Mix-A-Lot

RoomWizard® II Scheduling System Technical Specifications